You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Steve Willer <st...@gmail.com> on 2006/08/21 17:58:12 UTC
Feature suggestion: Scriptable authentication
Hey, folks.
I've been running svnserve in a Windows environment, and we're now in a
situation of "temporary solution becomes permanent" that I would like to
resolve.
The problem is, we're using a local set of users in a plaintext file for
authentication. The passwords are also not strong, because they're viewable
by anyone who can see the file. It's pretty silly. We also can't use Apache2
for auth because ... well, this is Windows, and we have IIS all over the
place, including on that one machine. They don't coexist very well, and
taking on the whole Apache2 stuff as well as IIS is weird and nonstandard.
I have a simple solution that I'd like to get in as an enhancement. I think
it would be quite easy to implement: allow a scriptable authentication host
instead of a username textfile for the authentication. svnserve would run
the program on the command line, giving username and password, and the auth
program could return "yes" or "no" in its stdout (or something along those
lines).
If someone put this code into svn, I could contribute an AD lookup script.
Otherwise, I'll have to set up the whole dev/build environment for svn,
which sounds slightly daunting.
As per the buddy system described in the bug tracker, I'd like to get some
agreement before I put this in as a ticket.
Steve
Re: Feature suggestion: Scriptable authentication
Posted by Jeremy Pereira <je...@jeremyp.net>.
On 21 Aug 2006, at 18:58, Steve Willer wrote:
> Hey, folks.
>
>
> The problem is, we're using a local set of users in a plaintext
> file for authentication. The passwords are also not strong, because
> they're viewable by anyone who can see the file. It's pretty silly.
> We also can't use Apache2 for auth because ... well, this is
> Windows, and we have IIS all over the place, including on that one
> machine. They don't coexist very well, and taking on the whole
> Apache2 stuff as well as IIS is weird and nonstandard.
Actually, Apache and IIS coexist quite happily on the same Windows
box, we do it with our repository. When we first set up Apache, we
had some weirdness with the installer which expected port 80 to be
free, but we got around that by stopping IIS, installing Apache,
changing the port in the conf file and then restarting both Apache
and IIS.
Once we had the Apache svn config set up with authentication against
the AD domain, we didn't have to touch it ever again except for
upgrades.
>
> I have a simple solution that I'd like to get in as an enhancement.
> I think it would be quite easy to implement: allow a scriptable
> authentication host instead of a username textfile for the
> authentication. svnserve would run the program on the command line,
> giving username and password, and the auth program could return
> "yes" or "no" in its stdout (or something along those lines).
>
> If someone put this code into svn, I could contribute an AD lookup
> script. Otherwise, I'll have to set up the whole dev/build
> environment for svn, which sounds slightly daunting.
>
> As per the buddy system described in the bug tracker, I'd like to
> get some agreement before I put this in as a ticket.
>
>
> Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Feature suggestion: Scriptable authentication
Posted by Erik Huelsmann <eh...@gmail.com>.
On 8/22/06, Vlad Georgescu <vg...@gmail.com> wrote:
> On 8/22/06, Erik Huelsmann <eh...@gmail.com> wrote:
> > Anyway, if you want to hack in an AD request into svnserve, that's
> > great! Please post your patch here for others to use while svnserve
> > isn't ready yet. You may want to look at the current SASL work to look
> > how/where to hack.
>
> If people want to authenticate to Active Directory they'll be able to
> do so using a Cyrus SASL-enabled svnserve in conjunction with either
> NTLM or Kerberos. No need to reinvent the wheel...
Right, but my point was that we may not be releasing that code for a
while (remember: we're still trying to get 1.4 out...) So, if he's
going to patch released code, others might benefit from that for the
time being...
Hope that explains it.
Bye,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Feature suggestion: Scriptable authentication
Posted by Vlad Georgescu <vg...@gmail.com>.
On 8/22/06, Erik Huelsmann <eh...@gmail.com> wrote:
> Anyway, if you want to hack in an AD request into svnserve, that's
> great! Please post your patch here for others to use while svnserve
> isn't ready yet. You may want to look at the current SASL work to look
> how/where to hack.
If people want to authenticate to Active Directory they'll be able to
do so using a Cyrus SASL-enabled svnserve in conjunction with either
NTLM or Kerberos. No need to reinvent the wheel...
--
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Feature suggestion: Scriptable authentication
Posted by Erik Huelsmann <eh...@gmail.com>.
On 8/21/06, Steve Willer <st...@gmail.com> wrote:
>
>
>
> On 8/21/06, Erik Huelsmann <eh...@gmail.com> wrote:
> >
> > I hope you now feel this doesn't need an issue anymore?
>
>
> I guess it depends on the timeline of the release. :-)
Heh, but anything you'd submit wouldn't be released earlier than the
current SASL work... I have no idea about the timeline; probably not
within half a year, but it could be sooner, given enough requests.
We're focusing on getting 1.4 out first...
> To be honest, I don't think a cmdline auth script is any different than a
> plugin SASL thing, in terms of hackiness. The only difference to me is that
> one uses an API while another uses a pipe.
Well, many SASL libraries offer many different databases to
authenticate against without any coding; the pipe solution would
require coding on your part to do the actual auth request...
Anyway, if you want to hack in an AD request into svnserve, that's
great! Please post your patch here for others to use while svnserve
isn't ready yet. You may want to look at the current SASL work to look
how/where to hack.
HTH,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Feature suggestion: Scriptable authentication
Posted by Steve Willer <st...@gmail.com>.
On 8/21/06, Erik Huelsmann <eh...@gmail.com> wrote:
>
>
> I hope you now feel this doesn't need an issue anymore?
I guess it depends on the timeline of the release. :-)
To be honest, I don't think a cmdline auth script is any different than a
plugin SASL thing, in terms of hackiness. The only difference to me is that
one uses an API while another uses a pipe.
Steve
Re: Feature suggestion: Scriptable authentication
Posted by Erik Huelsmann <eh...@gmail.com>.
On 8/21/06, Steve Willer <st...@gmail.com> wrote:
> Hey, folks.
> The problem is, we're using a local set of users in a plaintext file for
> authentication. The passwords are also not strong, because they're viewable
> by anyone who can see the file. It's pretty silly. We also can't use Apache2
> for auth because ... well, this is Windows, and we have IIS all over the
> place, including on that one machine. They don't coexist very well, and
> taking on the whole Apache2 stuff as well as IIS is weird and nonstandard.
>
> I have a simple solution that I'd like to get in as an enhancement. I think
> it would be quite easy to implement: allow a scriptable authentication host
> instead of a username textfile for the authentication. svnserve would run
> the program on the command line, giving username and password, and the auth
> program could return "yes" or "no" in its stdout (or something along those
> lines).
Well, this feels a bit like a hack, but I've got a feeling you feel
about it that way too. Then you'll like our long term solution (to be
released in 1.5) better: currently a student on the Google Summer of
Code program is integrating the Cyrus SASL library for us into
svnserve. The SASL library can be configured to take several sources
for its passwords. Beware though that SSL needs to be integrated into
svnserve too before these passwords are transmitted out of the clear!
(At least, that's what I've been told.)
> If someone put this code into svn, I could contribute an AD lookup script.
> Otherwise, I'll have to set up the whole dev/build environment for svn,
> which sounds slightly daunting.
>
> As per the buddy system described in the bug tracker, I'd like to get some
> agreement before I put this in as a ticket.
I hope you now feel this doesn't need an issue anymore?
bye,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org